Technology: Navigating the export control maze

As a U.S. business grows into a global enterprise, it must pay attention to export regulations impacting the shipment (or transmission) of items and technology outside the U.S. Unfortunately, export control regulations are incredible complex. Below are a few hypothetical situations that provide a sense of the breadth and complexity of these regulations:

Mundus Corp. (MC) is an expanding global business with primary operations in the U.S. In connection with the opening of MC’s new Russian office, it has engaged Natar Ltd. (NL), an Asia-based technology outsourcing firm. NL will enhance an MC-developed information security software application, MC Lock, used to assist with customer database security. MC intends to electronically transmit MC Lock source code (the computer language programmers use) to one of NL’s Asian offices. NL will use such code to enhance MC Lock.

NL plans to send some of its Asia-based employees to MC’s U.S. offices. While there, these NL employees will access MC’s technology, including the source code to MC Secure.

MC’s CIO is planning a trip to Russia to visit MC’s new office. The chief information officer will bring a company-issued laptop with her. Her laptop’s hard drive will be encrypted (using standard “off-the-shelf” software).

Export control laws

The MC legal and compliance team will need to spend some time analyzing each of the scenarios above to make sure that MC remains in compliance with export (and import) control laws.

Some examples of these U.S. export regulations include:

The Export Administration Regulations (EAR) administered by the Commerce Department’s Bureau of Industry and Security (BIS). The EAR addresses the export of “dual use” items (i.e., items that have both commercial and military uses).

The International Traffic in Arms Regulations (ITAR) administered by the State Department. ITAR deals with the export of military and space-related technology.

The Office of Foreign Asset Control (OFAC) regime managed by the Treasury Department. OFAC restricts exporting items to certain countries (e.g., Iran, Cuba and the Sudan) and persons or entities (e.g., Hamas) subject to embargoes and trade sanctions.

The EAR

The EAR is the regulatory framework most applicable to our hypotheticals. The EAR controls the “shipment or transmission” of EAR-covered items outside of the U.S. It controls exports based on factors such the nature of the exported item, its destination, the end user and the purpose for which the exported item will be used.

In order to lawfully export an item subject to the EAR, the exporter must obtain a license from BIS or there must be an available license exception or exemption.

Analyzing hypothetical 1:Exporting software

An electronic transfer of source code to NL’s foreign office will be an export under the EAR. MC will have to undertake a somewhat complicated analysis to determine whether there is an EAR export classification control number (ECCN) applicable to MC Lock, and if so, whether there are any restrictions on exporting items associated with that ECCN to the Asian country in which NL’s office is located.

If MC is lucky, there will be no restrictions to exporting the MC Lock software to NL’s Asian office (or to NL). Even if there are restrictions associated with MC’s intended export, it is quite possible that there are available exemptions to the EAR license requirement.

Analyzing hypothetical 2: Deemed exports

It is tempting (but wrong) to think that the EAR will not apply to the second hypothetical. The EAR governs not only actual exports but also “deemed” exports. Under the EAR, a deemed export occurs when there is a release of covered technology (including source code) to a foreigner. That release is considered an export to the foreign national’s home country. MC must determine whether there is an EAR license required to transmit the exposed technology to the home countries of the NL employees.

Analyzing hypothetical 3: Short trips to foreign countries

If MC’s CIO takes her company-issued laptop to Russia, that act will constitute an export subject to the EAR. The good news is that the EAR does provide a limited license exemption that will allow her to bring the laptop with her so long as the trip is for less than a year, she keeps the device in her control and the software (including the encryption software) is, for the most part, standard commercially available software. Of course, certain countries—such as Russia—may still require users to obtain a license if they import encryption related software on their laptop.

Conclusion

Export laws are complex. If a company is engaged in the business of exporting equipment, technology or other items (or if it grants foreign workers access to controlled items in the U.S.), it should develop a compliance program to ensure that it is undertaking such exports in conformity with export control regulations.